Corporate Espionage Risk Management For Financial Institutions

In the financial industry, business success and sustainability depends on the health of information systems. Damage to a firm’s information systems can tarnish its reputation, compromise its data, as well as result in legal fines and penalties. Large firms often depend on thousands of such systems interconnected via the internet, which raises a major security concern of corporate espionage.

The scale of corporate espionage in the finance industry has grown in recent times due to cyber criminals discovering that the right data can be more valuable than conducting attacks for cash and that the data can be traded anonymously. Just last year, JP Morgan and other major banks became a victim to a massive attack, which led finance regulators to scrutinize if the attackers were also collecting intelligence instead of just aiming for financial gains.

As a result, it is crucial for CEOs and CSOs to make sure that security managers take appropriate action against corporate espionage, which often starts with risk management. This discipline implies the understanding of factors that can affect a financial firm in a negative way, and then mapping out the likelihood of those factors that take into account occurrence probability.

Firms in the finance industry should be aware of the following corporate espionage threats:

Interception and surveillance: The nation-backed surveillance malware ‘Gauss’ is an example. The tool was designed to monitor bank accounts and was reported as the creation of one or more governments.

Insider spies: According to the CERT database, insider theft of intellectual property most frequently occurred in banking and finance (13 percent) along with information technology and chemical industry sectors.

Sabotage and Internet of Things (IoT): Adversaries may tactically install contaminated software during the manufacturing process of devices ordered by financial firms. Also, IoT networks and devices in case of financial firms generate large amounts of data but they’re not easy to secure and therefore can become the source of corporate espionage.

Blackmailing/extortion and bribery: FBI’s Cyber Division reported that 90 percent of U.S. corporations are vulnerable to cyber extortions, which involves hackers hosting data intelligence of a firm and blackmailing them to perform a specific action (such as transferring black money). Cyber criminals may also bribe someone in the security team to find an endpoint to conduct espionage through.

Corporate espionage makes risk management an increasingly important challenge for financial institutions of all kinds. Victims to corporate espionage in the finance industry fall in two categories: those who are aware they have been breached and those who aren’t aware they have been breached.

The following regulators are concerned about risk management strategies adopted by financial companies:

OCIE (Office of Compliance Inspections and Examinations)

Operated by the US Securities and Exchange Commission, the office issued a ‘risk alert’ that covered a summary of risk management issues, including protection of information systems, identification of risks, and detection of risks associated with third parties.

FINRA (Financial Industry Regulatory Authority)

The regulator, concerned with the cyber health of the finance industry, provides guidance on risk controlling issues such as staff training, intelligence, information assurance, risk assessment, and incident response.

As regulators highlight the significant risk of cyber espionage and cyber security being reported as the number one risk to the finance industry, financial firms should allocate more resources to invest in this area of risk management. They should also address documentation failures which lead to lapses in compliance and poorly written risk management procedures.

While every firm will have its own approach to risk management, the business discipline has a common workflow based on threat acceptance, severity mapping, impact determination, and implementation of control recommendations. For addressing corporate espionage, financial firms should draw a risk management framework that appears like this:

Acceptance of threat: Financial firms need to acknowledge the presence of corporate espionage.

Centralize risk management: The entire hierarchy must imbibe responsible attitude towards cyber risk management and maintain it. When everyone takes risk management as a personal responsibility, it becomes centralized, which makes espionage and other attacks difficult to get through.

Penetration testing: This is performed to scrutinize the vulnerability of current security systems. It is applied to network addresses (to determine the topology of the cyber environment), network perimeter devices, wireless devices, web-based applications, in-house applications, and off-the-shelf software.

Social engineering: Social engineering assessments in risk management identify weakest links and give organizations an insight of the possibilities if the espionage is conducted via a corporate website. Assessment results can be used to conduct targeted training programs and educate employees on the threat of corporate espionage.

Technical audits: These are audits of system-wide security configurations. Default installations may leave holes for adversaries to exploit corporate data, so technical audits are conducted to prevent compromise. Technical audits may also be conducted with physical security audits to secure all means of corporate espionage.

Background screening: A large number of corporate espionage cases involve malicious insiders who sell intelligence about their organization to external adversaries. Their access is linked to sensitive endpoints, so background screening is important to reduce the risk of espionage through insiders.

Mitigating the risk of cyber intelligence gathering may seem like a daunting task for financial institutions, but the above mentioned risk management framework can be a significant weapon against corporate espionage. Alongside, it is also critical for financial institutions to cooperate with government cyber security bodies to eliminate gaps that can remain undetected. Organizations taking these approaches will find their walls strongly fortified.

About the Author:Dan Virgillito is a Security Researcher for the InfoSec Institute specializing in enterprise security.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

I disagree. While cyber security is a huge area of risk and should be considered a top threat in financial services, the author has not provided any compelling evidence that cyber espionage is anything but a small part of that. The author uses this sentence to reference an article "As regulators highlight the significant risk of cyber espionage and cyber security being reported as the number one risk to the finance industry…" but the article is about cyber security and does not mention anything about cyber espionage. additionally, the author references CERT – "According to the CERT database, insider theft of intellectual property most frequently occurred in banking and finance (13 percent) along with information technology and chemical industry sectors." but the author misrepresents the data in the CERT article, in that CERT found insider theft to occur most frequently in Information Technology (35%), followed by banking and finance at 13%.

The author also references a three year old article from one of his colleagues at Infosec Institute, and mentions Gauss which is also 3 years old. In this industry, 3 years old is ancient. Lastly, the author references the FBI and blackmailing/extortion. In these instances, it can hardly be considered espionage. Most blackmail/extortion comes in the form of hactivists and simple financial extortion like CryptoLocker and it's variants. It isn't competing corporations blackmailing/extorting for IP.

It should also be noted that FINRA and OCIE are not the only regulators concerned with compliance of risk management in financial services. FFIEC, FDIC, and NCUA also fall into that category.

Overall, the author's fear of cyber espionage seems to be based on FUD. It's certainly a threat to be considered, but it's far from being the top threat, and most risk management frameworks for cyber security also manage cyber espionage risks.